IPSec Site-to-Site between routers over PIX - 思科安全

Lo0-10.1.1.1/24 Lo0-20.1.1.1/24
! !
R1----(16.1.1.0/24)---(outside)---PIX----(inside)---26.1.1.0/24--R2
hostname NYr1
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key isakey address 16.1.1.102

crypto ipsec transform-set transet esp-des esp-sha-hmac
mode transport
!
crypto map cryptmap 10 ipsec-isakmp
set peer 16.1.1.102
set transform-set transet
match address 101

interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 16.1.1.101 255.255.255.0
crypto map cryptmap

ip route 20.1.1.0 255.255.255.0 16.1.1.1

access-list 101 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
================================================== =============

hostname NYr2

crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key isakey address 16.1.1.101

crypto ipsec transform-set transet esp-des esp-sha-hmac
mode transport
!
crypto map cryptmap 10 ipsec-isakmp
set peer 16.1.1.101
set transform-set transet
match address 101

interface Loopback0
ip address 20.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 26.1.1.102 255.255.255.0
half-duplex
crypto map cryptmap

ip route 10.1.1.0 255.255.255.0 26.1.1.1

access-list 101 permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
================================================== =============

PIX Version 7.0(4)
!
hostname NYpix1

interface Ethernet0
nameif outside
security-level 0
ip address 16.1.1.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 90
ip address 26.1.1.1 255.255.255.0

access-list 101 extended permit esp host 16.1.1.101 host 26.1.1.102
access-list 101 extended permit udp host 16.1.1.101 host 26.1.1.102 eq isakmp

static (inside,outside) 16.1.1.102 26.1.1.102 netmask 255.255.255.255
access-group 101 in interface outside
route inside 20.1.1.0 255.255.255.0 26.1.1.102 1
route outside 10.1.1.0 255.255.255.0 16.1.1.101 1
================================================== ====
NYr1#ping 20.1.1.1 sourc 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
NYr1#sh cry ips sa

interface: Ethernet0/0
Crypto map tag: cryptmap, local addr. 16.1.1.101

protected vrf:
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
current_peer: 16.1.1.102:4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0

local crypto endpt.: 16.1.1.101, remote crypto endpt.: 16.1.1.102
path mtu 1500, media mtu 1500
current outbound spi: 87E06165

inbound esp sas:
spi: 0x16CCF1CE(382529998)
transform: esp-des esp-sha-hmac ,

NYr1#ping 20.1.1.1 sourc 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
NYr1#sh cry ips sa

interface: Ethernet0/0
Crypto map tag: cryptmap, local addr. 16.1.1.101

protected vrf:
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
current_peer: 16.1.1.102:4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0

local crypto endpt.: 16.1.1.101, remote crypto endpt.: 16.1.1.102
path mtu 1500, media mtu 1500
current outbound spi: 87E06165

inbound esp sas:
spi: 0x16CCF1CE(382529998)
transform: esp-des esp-sha-hmac ,